python-django

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high-level Python Web framework that encourages rapid development and clean design
Version 2.1.5-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-839 2.1.4-1 2.1.5-1 Medium Fixed
AVG-773 2.1.1-1 2.1.2-1 Medium Fixed
AVG-743 2.0.7-2 2.0.8-1 Medium Fixed
AVG-649 1.11.10-1 1.11.11-1 Medium Fixed
AVG-624 1.11.8-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2019-3498 AVG-839 Medium Yes Content spoofing
A content spoofing issue has been found in django before 2.1.5 and 1.11.18, where an attacker could craft a malicious URL that could make spoofed content...
CVE-2018-7537 AVG-649 Medium Yes Denial of service
If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to...
CVE-2018-7536 AVG-649 Medium Yes Denial of service
The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular...
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an...
CVE-2018-16984 AVG-773 Medium Yes Information disclosure
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but...
CVE-2018-14574 AVG-743 Medium Yes Open redirect
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path...
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...

Advisories

Date Advisory Group Severity Description
11 Jan 2019 ASA-201901-6 AVG-839 Medium content spoofing
01 Oct 2018 ASA-201810-5 AVG-773 Medium information disclosure
01 Aug 2018 ASA-201808-1 AVG-743 Medium open redirect
06 Mar 2018 ASA-201803-5 AVG-649 Medium denial of service
06 Apr 2017 ASA-201704-2 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-15 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-13 AVG-35 Medium cross-site request forgery